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BACKGROUND 

The Department of Energy and its contractors store and process massive quantities of 
sensitive information to accomplish national security, energy, science, and environmental 
missions. Sensitive unclassified data, such as personally identifiable information (PII), 
official use only, and unclassified controlled nuclear information require special handling 
and protection to prevent misuse of the information for inappropriate purposes. Industry 
experts have reported that more than 203 million personal privacy records have been lost 
or stolen over the past three years, including information maintained by corporations, 
educational institutions, and Federal agencies. The loss of personal and other sensitive 
information can result in substantial financial harm, embarrassment, and inconvenience to 
individuals and organizations. Therefore, strong protective measures, including data 
encryption, help protect against the unauthorized disclosure of sensitive information. 

Prior reports involving the loss of sensitive information have highlighted weaknesses in 
the Department's ability to protect sensitive data. Our report on Security Over Personally 
Identifiable lnformatttDlE/lG-0771, July 2007) disclosed that the Department had 
not fully implemented all measures recommended by the Office of Management and 
Budget (OMB) and required by the National Institute of Standards and Technology 
(NIST) to protect PII, including failures to identify and encrypt PII maintained on 
information systems. Similarly, the Government Accountability Office recently reported 
that the Department had not yet installed encryption technology to protect sensitive data 
on the vast majority of laptop computers and handheld devices. Because of the potential 
for harm, we initiated this audit to determine whether the Department and its contractors 
adequately safeguarded sensitive electronic information. 

RESULTS OF AUDIT 

The Department had taken a number of steps to improve protection of PII. Our review, 
however, identified opportunities to strengthen the protection of all types of sensitive 
unclassified electronic information and reduce the risk that such data could fall into the 
hands of individuals with malicious intent. In particular, for the seven sites we reviewed: 

• Four sites had either not ensured that sensitive information maintained on 
mobile devices was encrypted. Or, they had improperly permitted sensitive 


2 


unclassified information to be transmitted unencrypted through email or to 
offsite backup storage facilities; 

• One site had not ensured that laptops taken on foreign travel, including travel to 
sensitive countries, were protected against security threats; and, 

• Although required by the OMB since 2003, we learned that programs and sites 
were still working to complete Privacy Impact Assessments - analyses designed 
to examine the risks and ramifications of using information systems to collect, 
maintain, and disseminate personal information. 

Our testing revealed that the weaknesses identified were attributable, at least in part, to 
Headquarters programs and field sites that had not implemented existing policies and 
procedures requiring protection of sensitive electronic information. In addition, a lack of 
performance monitoring contributed to the inability of the Department and the National 
Nuclear Security Administration (NNSA) to ensure that measures were in place to fully 
protect sensitive information. As demonstrated by previous computer intrusion-related 
data losses throughout the Department, without improvements, the risk or vulnerability 
for future losses remains unacceptably high. 

In conducting this audit, we recognized that data encryption and related techniques do not 
provide absolute assurance that sensitive data is fully protected. For example, encryption 
will not necessarily protect data in circumstances where organizational access controls 
are weak or are circumvented through phishing or other malicious techniques. However, 
as noted by NIST, when used appropriately, encryption is an effective tool that can, as 
part of an overall risk-management strategy, enhance security over critical personal and 
other sensitive information. 

The audit disclosed that Sandia National Laboratories had instituted a comprehensive 
program to protect laptops taken on foreign travel. In addition, the Department issued 
policy after our field work was completed that should standardize the Privacy Impact 
Assessment process, and, in so doing, provide increased accountability. While these 
actions are positive steps, additional effort is needed to help ensure that the privacy of 
individuals is adequately protected and that sensitive operational data is not 
compromised. To that end, our report contains several recommendations to implement a 
risk-based protection scheme for the protection of sensitive electronic information. 

OTHER MATTERS 


Our review also revealed that sites we reviewed were not encrypting sensitive data 
contained on desktops, servers and other network-based storage devices. This practice, 
currently in place or planned at certain Department of Defense activities to protect 
sensitive information, has been identified by NIST as a best practice and as part of an 
effective risk-based management approach to data protection. Our report, in Appendix 2, 
discusses the benefits and limitations of encryption for these types of devices and 
suggests additional actions that the Department may wish to consider. 
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MANAGEMENT REACTION 


Management generally concurred with the report's recommendations and pledged to take 
action to address the weaknesses identified in our report. Management indicated that 
many of the issues identified in our report should be addressed as part of a risk-based 
approach to cyber security. In separate comments, the NNSA neither concurred nor 
disagreed with our specific recommendations. However, the NNSA did express concern 
over the practicality of utilizing encryption software in all situations and questioned the 
need to conduct Privacy Act Assessments. 

As noted in the Management Comments section of this report (Appendix 4), the Office of 
Inspector General agrees that information technology restrictions and requirements 
should be risk-based and that the use of encryption software may be challenging in some 
circumstances. However, given the history of compromises of sensitive information both 
in the Department and in the Government at large, we concluded that an aggressive 
program of protecting information is in the best interest of the Department, its Federal 
and contractor personnel, and national security. 

Attachment 
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Chief Information Officer 
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PROTECTION OF UNCLASSIFIED SENSITIVE ELECTRONIC 
INFORMATION 


Ensuring Security of 
Sensitive Information 


The Department of Energy (Department or DOE) had made 
improvements in implementing protective measures over 
personally identifiable information (PII) and had 
implemented certain recommendations made in our report 
on Security Over Personally Identifiable Information 
(DOE/IG-0771, July 2007). Our current review, however, 
established that additional action was needed to better 
protect all types of unclassified sensitive information, to 
include official use only and unclassified controlled nuclear 
information. In particular, the Department had not ensured 
that sensitive data on mobile devices, transmitted using 
email, or sent offsite using backup media, was encrypted, 
as appropriate. In addition, one site we visited had not 
implemented appropriate measures to protect sensitive 
information taken on foreign travel. Sites were also still 
working to complete required Privacy Impact Assessments 
(PIAs) for all systems containing privacy information. 

Encryption of Sensitive Data 

Sites reviewed had not always ensured that sensitive 
information maintained on mobile devices was encrypted. 

In addition, they did not always encrypt sensitive 
information transmitted using email or sent offsite using 
backup media. In particular, three sites had not always 
encrypted sensitive data maintained on laptop computers to 
protect against unauthorized disclosure, as required by 
Department and Federal directives. Although identified as 
a best practice by the Department and the National Institute 
of Standards and Technology (NIST), we found that full- 
disk encryption had only been deployed on approximately 
6,000 laptops believed to contain PII at Sandia National 
Laboratories (SNL). Officials at SNL told us, however, 
that they had not implemented such measures for the 
remainder of the site's approximately 12,000 laptops even 
though they assumed that all laptops maintained by the site 
contained sensitive information. 

SNL officials told us that the site had no plans to 
implement full-disk encryption on the remaining laptops 
that were assumed to contain other types of sensitive 
information such as official use only and unclassified 
controlled nuclear information. Officials noted that they 
also relied on file-level encryption software to protect 
sensitive data that was not PII, a practice with which we do 
not take issue. However, there was no assurance that all 
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users had this software as it was not part of the standard 
suite of installed software. As an example of the risk of 
harm associated with not encrypting data on mobile 
devices, in one recent incident, SNL reported that an 
unencrypted laptop containing sensitive data was stolen, 
potentially exposing the information contained on the 
device. 

Lawrence Livermore National Laboratory (LLNL) officials 
also assumed that each of the laboratory's approximately 
7,000 laptops contained some form of sensitive 
information, but they had not evaluated or confirmed that 
computers containing sensitive data were appropriately 
secured. Although LLNL developed a plan to install full- 
disk encryption software on approximately 2,500 laptop 
computers expected to be taken offsite, officials 
commented that they had not yet begun to implement this 
initiative due to funding limitations. In addition, we noted 
that because of the limited scope of the site's encryption 
plan, less than half of the total laptops used at the site are to 
be protected. 

We also found that sensitive information transmitted via 
email or sent offsite using backup tapes was not always 
encrypted at several sites. For instance, SNL site-level 
policy did not require users to encrypt emails containing 
sensitive data when sent within the internal network even 
though encryption in these circumstances was required by 
both Department directives and the National Nuclear 
Security Administration (NNSA) policy. Although a SNL 
cyber security official commented that compensating 
network controls, such as firewalls and routers, were in 
place on the internal network to protect such transmissions 
from unauthorized disclosure, the Sandia Site Office's 
Designated Approving Authority believed these controls 
did not adequately mitigate the risk and that all emails 
containing sensitive unclassified information should be 
encrypted. To its credit, SNL officials commented that 
they had implemented encryption capabilities to protect 
email transmissions and updated site-level policy after our 
site visit. 

While not every email or backup media must be encrypted, 

DOE Manual 205.1-7 - Security Controls for Unclassified 
Information Systems Marwqdires that "...all SUI 
[Sensitive Unclassified Information] on all portable/mobile 
devices and removable media, such as CDROMS or thumb 
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drives containing SUI/PII must be encrypted." In addition, 
Office of Management and Budget (OMB) Memorandum 
06-16 - Protection of Sensitive Agency Information 
directed that, "In those instances where personally 
identifiable information is transported to a remote site, 
implement NIST Special Publication 800-53 security 
controls ensuring that information is transported only in 
encrypted form." 

However, we found that backup tapes at LLNL and the 
Pacific Northwest National Laboratory (PNNL) were not 
always encrypted in accordance with Department and 
program directives. Specifically, we noted that although 
both LLNL and PNNL sent their backup tapes offsite, they 
did not encrypt the contents of those backups before 
turning them over to their archive/storage subcontractors. 
Because LLNL officials assumed that all of their systems 
contained sensitive information, we believe that the backup 
tapes should have been encrypted in accordance with 
Department and OMB requirements. Although PNNL 
officials did not make the same assumption, they had not 
ensured that sensitive data was not contained on the tapes 
or was appropriately secured. 

Laptops on Foreign Travel 

Laptop computers taken on foreign travel by users at LLNL 
were not adequately protected against cyber security 
threats. In August 2007, the Directors at each of the 
NNSA's three weapons laboratories agreed to implement a 
pool of common laptops specifically configured and 
managed for use on foreign travel. However, more than 
one year later, LLNL had not yet implemented this 
approach. Based on our sample of ten users who took their 
laptops on foreign travel, including individuals that traveled 
to sensitive foreign countries, we found that only six of 
them had encryption capabilities on their laptops and only 
one of those users utilized full-disk encryption. Although 
LLNL laptops taken on foreign travel were physically 
inspected upon return, logical security assessments of 
computers to determine whether they had been tampered 
with or potentially infected with malware were not 
completed. In one case, we noted that a user connected his 
laptop to the LLNL network after he returned from travel 
but before taking his computer to the security organization 
for physical inspection, thereby subjecting LLNL to 
potential exploitation if the laptop had been compromised. 
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While we noted that the use of encryption was restricted by 
certain countries, compensating controls such as assessing 
computers for security breaches immediately upon return to 
the laboratory and prior to reconnection to the site network 
could help ensure protection against the introduction of 
malware into the LLNL computing environment. 


Privacy Impact Assessments (PIAs) 


PI As are documents approved by the Senior Agency 

Official for Privacy and are used to determine the risks of 

collecting, maintaining, and disseminating privacy data in 

an electronic information system and ensuring that controls 

are in place to protect such data. To support the 

development of PIAs, the Department's Office of 

Management issued Department of Energy Procedures For 

Conducting Privacy Impact Assessrifmmtisy 2007 

which stated that PIAs were to be conducted "...on all 

systems that contain or administer information in 

identifiable form about its employees, contractors or 

members of the public." This guidance was formalized in 

January 2009 with the issuance of DOE Order 206.1 - 

Department of Energy Privacy Program 


While we recognize that it takes time to develop PIAs, we 
noted that assessments were not completed for at least 14 
systems (including 3 Federal systems) at 4 of the 7 sites 
reviewed. For instance, the NNSA Service Center had not 
completed any PIAs because officials stated that they did 
not have any PII in systems that were externally facing 1 . In 
another case, SNL had interpreted the guidance to mean it 
only had to perform PIAs on systems that collected 
information about members of the public, not information 
collected on employees and contractors. SNL officials 
stated they had not developed PIAs for any of their systems 
because they did not collect information about members of 
the public. Nonetheless, we noted that information was 
manually collected and then stored in a number of 
information systems by SNL officials for various Federal 
purposes such as tracking foreign national visitors. In 
contrast to these examples, the Department's Chief Privacy 
Officer noted that the Department makes no distinction 
between whether a system is internally or externally facing 
when determining whether to complete a PIA. Effective 

1 Externally facing systems are those that are maintained by the Department and its contractors, but can be 
accessed by the public. Internally facing systems are systems that are only accessible by Department and 
contactor personnel. 
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implementation of the PIA process should help the 
Department ensure that privacy protections are considered 
and implemented through the life of an information system. 


Program 

Implementation and 
Performance Monitoring 


We found that Headquarters programs and field sites had 
not fully implemented existing policies and procedures that 
require sensitive electronic data be properly secured. A 
lack of performance monitoring contributed to the 
Department's inability to ensure that adequate protections 
were in place. 


Program Implementation 

Headquarters programs and sites reviewed had not fully 
implemented policies and procedures for ensuring that 
sensitive electronic information was protected. In 
particular, Technical and Management Requirement 22 and 
DOE Manual 205.1-7, issued by the Office of the Chief 
Information Officer (OCIO), required encryption of all 
sensitive unclassified data residing on mobile computing 
devices. However, we noted that sites had not fully 
implemented this policy and had not taken action to 
implement encryption of all mobile devices such as backup 
tapes. Furthermore, LLNL had not implemented stringent 
requirements for taking sensitive data on foreign travel 
because NNSA policies did not require that such action be 
taken. 

Although OMB directed in September 2003 that agencies 
conduct PIAs for electronic information systems, the 
Department had not, until recently, issued a formal policy 
requiring PIAs for all systems containing privacy 
information. While the Department's Office of 
Management issued the Department of Energy Procedures 
For Conducting Privacy Impact AsseSsdmnts/ 

2007, that stated that PIAs should be completed for all 
systems containing privacy information, this guidance had 
not been formalized into policy until after our review and 
was not included in site-level contracts. As such, officials 
at a number of sites reviewed commented that they were 
not required to follow the guidance. Lacking specific 
implementation direction, contractors had inconsistently 
interpreted OMB direction. 

Even though NNSA program policy referred to the OMB 
direction as a requirement, NNSA's policy specifically 
excluded systems that were only accessible internally. The 
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Department's Chief Privacy Officer stated that in July 2008, 
NNSA officials agreed to develop PIAs for all systems 
containing PII, but our review of three NNSA sites 
disclosed that the sites had no plans to develop additional 
assessments. Subsequent to our field work, the Department 
issued DOE Order 206.1 that formally required a PIA for 
all unclassified systems containing federal employee and 
contractor privacy data, as well as information on members 
of the public. When fully implemented, this directive 
should help the Department ensure that systems containing 
privacy information are adequately assessed for protective 
measures. 


Performance Monitoring 


Headquarters programs and sites reviewed had not 
effectively implemented performance monitoring activities 
to ensure that sensitive electronic information was 
adequately protected. For instance, even though 
management agreed with a recommendation in our 
previous 2007 report on Security over Personally 
Identifiable In forma fftanDepartment officials perform 
random checks to verify that PII on mobile computing 
devices was encrypted, none of the sites reviewed had 
instituted such a process. In SNL's case, officials had not 
ensured that all individuals even had the capability to 
encrypt sensitive data. Specifically, we noted that SNL 
maintained only 6,956 file-level encryption software 
licenses for nearly 12,000 members of the workforce 
despite the fact that officials assumed that every computer 
contained sensitive information. Furthermore, even though 
users at PNNF were responsible for installing encryption 
software, because it was not part of the standard suite of 
software, site officials did not perform reviews to 
determine whether users had actually installed the software. 
To their credit, the two Office of Environmental 
Management sites reviewed had ensured that full-disk 
encryption was installed on all laptops, effectively 
eliminating the need to conduct random inspections. 

We also found that NNSA monitoring procedures did not 
detect nearly 1,300 laptops at SNF that were not encrypted 
because the site did not consider them mobile devices. We 
had previously identified this weakness within NNSA in 
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Information Security 
and Assurance 


RECOMMENDATIONS 


our 2007 report on Security Over Personally Identifiable 
Informatipn nd Headquarters cyber security officials told 
us that all laptops should be considered mobile devices and 
protected through encryption. 

Without improvements to ensure adequate controls are in 
place, the Department may have difficulty protecting its 
sensitive electronic information, including PII. 

Specifically, the failure to encrypt all sensitive data 
maintained on mobile devices or transmitted using email or 
backup media could result in its unnecessary exposure of 
privileged data. For instance, the sites reviewed reported 
more than 240 computers lost or stolen during the last two 
fiscal years. However, none of the sites could ensure that 
sensitive unclassified information was protected on those 
machines through the use of encryption software. In 
addition, the importance of protecting sensitive data 
transported offsite using mobile media was highlighted 
when PII of 59,000 former employees at one of the 
Department's national laboratories was recently lost during 
a shipment as part of the Department's Former Worker 
Medical Screening Program. 

The threat to sensitive information is not limited to external 
sources, as noted in a U.S. House of Representatives 
Committee on Government Reform report - Agency Data 
Breaches Since January 1,-2Q 0L3h indicated that the 
vast majority of data losses arose from physical thefts of 
computer equipment or unauthorized use of data by 
employees. Although encryption does not provide absolute 
assurance that sensitive data will not be exposed, it should 
enhance the Department's ability to ensure that data 
residing on lost or stolen equipment will not be 
compromised. The need for a strong risk-management 
program regarding sensitive data also becomes apparent 
when one considers that industry experts report that the 
number of cyber security threats continue to increase 
significantly each year. 

To address the issues identified in this report, we 
recommend that as part of a risk-based sensitive data 
protection approach, the Administrator, NNSA, Under 
Secretary for Science, and Under Secretary of Energy, in 
coordination with the Department and NNSA Chief 
Information Officers: 
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MANAGEMENTAND 
AUDITOR COMMENTS 


1. Ensure that sensitive information on mobile 
devices, transmitted using electronic mail, or sent to 
offsite backup storage is adequately protected 
through encryption; 

2. Ensure that sensitive information maintained on 
mobile computing devices taken on foreign travel is 
adequately protected and that such devices are 
physically and logically examined prior to 
reconnection to government networks; and, 

3. Verify that sensitive data on computing devices is 
identified and adequately protected by performing 
random checks. 

We also recommend that the Administrator, NNSA, the 
Under Secretary for Science, and the Under Secretary of 
Energy, in coordination with the Senior Agency Official for 
Privacy and Chief Privacy Officer: 

4. Complete required PIAs on systems that contain 
privacy information. 


Management generally concurred with the report's findings 
and with the first three recommendations. Management 
fully concurred with recommendation four. In addition, 
management indicated that it planned to address a number 
of the issues identified in our report in future Department- 
level cyber security direction. In separate comments, the 
NNSA did not specifically indicate whether it agreed with 
our recommendations. To that extent, we consider NNSA's 
comments to be non-responsive. Responses from both 
Department and NNSA management indicated concerns 
with a number of assertions made in our report. We have 
addressed management's comments below and made 
technical changes to the report, as appropriate. 
Management's comments are included in their entirety in 
Appendix 4. 

Management commented that if adequate steps were taken 
to ensure that there was no sensitive information on laptops 
or other mobile devices at a site, this determination should 
suffice without requiring encryption of all data on such 
devices. Management believed that this approach should 
help to balance risk against the cost and productivity loss 
associated with unnecessary use of encryption where its use 


Page 8 


Comments 




is not needed. Although we agree that it may not be 
necessary to encrypt mobile devices if they do not contain 
sensitive data, the sites reviewed had not identified which 
machines contained such information but instead assumed 
that all computers contained sensitive information. 

Management commented that the type of protection 
provided for mobile computing devices taken on foreign 
travel should be determined by a local risk analysis. 
Management believed that upon return to a government site 
from foreign travel, it would be prudent to logically scan 
the device either before it is connected to a government 
network, or if connected, before it is given full access to the 
network. We agree that sites should be able to implement 
security requirements using a valid and documented risk 
analysis. However, an analysis of the need for conducting 
logical scans was not completed at LLNL - the site 
identified in the report as having security deficiencies 
related to laptops taken on foreign travel. Furthermore, as 
noted in the report, LLNL had not yet implemented a 
common pool of laptops for foreign travel as agreed to by 
the Directors of the three NNSA laboratories. 

Management noted that performing random checks on 
computing devices to ensure encryption of sensitive data 
may be helpful, but noted that consideration of the need to 
perform random checks should be based on local risk 
analysis. Although we agree that risk-based decisions 
should be made at the site-level, none of the sites visited 
had instituted such a review process or documented reasons 
for not doing so. In our opinion, absent the use of full-disk 
encryption software, it is imperative that some sort of 
verification be performed to ensure users are appropriately 
encrypting sensitive data. Management also had previously 
agreed to perform such checks and noted its agreement in 
its response to our report on PII protections. 

Management also expressed concern about the information 
included in Appendix 2 of our report. In particular, 
management indicated that consideration should be given 
to an analysis of performance, productivity, and cost when 
deciding whether to implement encryption of data at rest. 
Management's comments also indicated that there did not 
appear to be a Federal government-wide decision or 
recommendation that sensitive data on desktops or servers 
should be encrypted. Although we agree that no 
government-wide mandate existed to encrypt sensitive data 
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at rest, NIST discussed the benefits of this practice in NIST 
Special Publication 800-111 - Guide to Storage Encryption 
Technologies for End User DetfZmeseport included a 
discussion of both the positive and negative aspects of 
encrypting data at rest that programs and sites should 
consider when implementing their information security 
programs. 

In separate comments, the NNS A responded that while the 
term "sensitive electronic information" had no formal 
definition, three types of sensitive information were 
discussed in the report including official use only, PII, and 
unclassified controlled nuclear information. The NNSA 
noted that the protection requirements for each type of 
information arise from different legal authorities and 
require protections that differ significantly. Management 
also commented that our report did not appear to 
completely address or identify whether the Department and 
its contractors adequately protected "sensitive electronic 
information." In our report, we used "sensitive electronic 
information" to refer to various types of sensitive 
unclassified information as defined in Technical and 
Management Requirement 22, DOE Manual 205.1-7, and 
NNSA Policy Letter 14.2-C - NNSA Certification and 
Accreditation (C&A) Process for Information. Systems 
three sources identify official use only, PII, and 
unclassified controlled nuclear information as examples of 
sensitive unclassified information. While we agree that the 
legal authorities and protection requirements may differ 
among the different categories, the issues we identified and 
our recommended corrective actions are applicable to all 
three types of sensitive electronic data. 

The NNSA commented that the audit appeared to have 
been performed against regulatory requirements for 
protection of PII on mobile devices, but that 
recommendations concerned protection of data at rest on 
servers and workstations. Our recommendations primarily 
discussed the need to protect sensitive data on mobile 
devices or in transit, not data at rest. 

The NNSA indicated that statements in our report regarding 
the use of full-disk encryption on laptops at SNL appeared 
to take issue with the site for not implementing what is 
considered a best practice and not a requirement. 

Management also stated that the report did not identify the 
number of laptops that were actually identified as mobile or 
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portable. As discussed in our report, SNL did not provide 
encryption capability to all users as part of the standard 
suite of software. We do not take exception that SNL had 
not deployed full-disk encryption to all laptops, but that the 
site had not ensured all sensitive data was encrypted using 
either full-disk or file-level encryption. While we noted 
during discussions with site officials and a review of 
documentation obtained from the site that only about ten 
percent of laptops were not transported offsite, NNSA 
Headquarters cyber security officials believed that all 
laptops should be considered mobile devices and 
appropriately protected. 

The NNSA commented that we did not confirm if PII was 
contained on LLNL backup tapes that were turned over to 
its archive/storage subcontractors. Officials also noted that 
NIST Special Publication 800-53 - Recommended Security 
Controls for Federal Information SyateirCtDE 
Manual 205.1-7 did not specifically require the use of 
encryption for sensitive information when transported to 
and stored at remote sites, but allowed approving 
authorities to utilize a risk assessment to guide the use of 
encryption and/or physical security controls in this 
instance. Although we did not confirm whether the backup 
tapes at LLNL contained PII, officials at the site told us that 
they operated under the assumption that all systems 
contained some form of sensitive unclassified information. 
Therefore, enforcement of DOE Manual 205.1-7 would 
require the site to ensure that "...all SUI [Sensitive 
Unclassified Information] on all portable/mobile devices 
and removable media, such as CDROMS or thumb drives 
containing SUI/PII must be encrypted." Furthermore, a site 
security official noted during our review that the failure to 
encrypt backup tapes at the laboratory was a weakness that 
the site should address in the future. 

The NNSA noted that PI As did not need to be developed 
for contractor systems that collect only contractor 
information. The NNSA also noted that our report did not 
identify whether the systems indicated in the report as not 
having a PIA were due for one, as policies require PIAs to 
be completed during development or the certification and 
accreditation process. Furthermore, the NNSA commented 
that the manual collection of PII did not require a PIA. We 
determined that DOE Order 206.1 required that PIAs be 
conducted on all systems that contain or administer 
information in identifiable form about its employees. 
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contractors or members of the public. We also noted that 
the requirement to complete a PIA was established in the 
E-Government Act of 2002. As such, all 14 of the systems 
identified in our report should have been certified and 
accredited at least once since that time and the need for a 
PIA recognized. Department directives also required that 
all unclassified systems have a Privacy Needs Assessment 
or PIA that must be reviewed and updated annually. 
Finally, while we agree that the manual collection of PII 
did not by itself require the development of a PIA, the 
example noted in our report identified that SNL was 
manually collecting PII and inputting that information into 
an online database, thereby creating the need for such an 
assessment. 


Page 12 


Comments 




Appendix 1 


OBJECTIVE 


SCOPE 


METHODOLOGY 


To determine whether the Department of Energy (Department) 
and its contractors adequately safeguarded sensitive electronic 
information. 

The audit was performed between July 2008 and April 2009 at 
Department Headquarters in Washington, DC, and 
Germantown, Maryland; the Lawrence Berkeley National 
Laboratory, Berkeley, California; the Lawrence Livermore 
National Laboratory, Livermore, California; the Sandia 
National Laboratories, New Mexico and National Nuclear 
Security Administration (NNSA) Service Center, Albuquerque, 
New Mexico; and the Richland Operations Office, Office of 
River Protection, and the Pacific Northwest National 
Laboratory, Richland, Washington. 

To accomplish the audit objective, we: 

• Reviewed Lederal regulations and Departmental 
directives and guidance pertaining to protecting 
sensitive electronic information; 

• Reviewed prior reports issued by the Office of 
Inspector General and the Government Accountability 
Office; 

• Reviewed program and site-level policies relevant to 
protecting sensitive electronic information; 

• Held discussions with program officials from 
Department Headquarters and sites reviewed, including 
representatives from the Offices of Management, the 
Chief Information Officer, Health, Safety and Security, 
Environmental Management, Civilian Radioactive 
Waste Management, Science, as well as the NNSA; 
and, 

• Interviewed employees at the sites visited to determine 
whether sensitive electronic information was 
adequately protected while on foreign travel. 

We conducted this performance audit in accordance with 
generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis 
for our findings and conclusions based on our audit objectives. 
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Appendix 1 (continued) 


We believe the evidence obtained provides a reasonable basis 
for our findings and conclusions based on our audit objectives. 
The audit included tests of internal controls and compliance 
with laws and regulations to the extent necessary to satisfy the 
audit objective. Because our review was limited, it would not 
necessarily have disclosed all internal control deficiencies that 
may have existed at the time of our audit. We also assessed 
performance measures in accordance with the Government 
Performance and Results Act a£i£9£iSto protecting 
sensitive electronic information. Although we did not identify 
measures specific to protecting sensitive electronic 
information, we noted that limited measures did exist related to 
cyber security. We did not rely on computer-processed data to 
satisfy our audit objective. 

Management waived an exit conference. 
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OTHER MATTERS FOR CONSIDERATION 


In addition to the weaknesses identified related to protecting unclassified sensitive electronic 
information discussed in this report, we also identified an additional area for consideration at 
the seven sites reviewed. Specifically, none of the sites reviewed had encrypted sensitive data 
at rest on desktops and servers even though this was identified as a best practice by the 
National Institute of Standards and Technology (NIST) and other industry organizations. 

As part of an effective risk management process, NIST Special Publication 800-111 - Guide to 
Storage Encryption Technologies for End UsentMvtiahsi full-disk encryption can be 
used to protect all data on a device against loss or theft, and file or folder level encryption can 
be used to retain protection while the device is powered on for data that is more sensitive than 
the rest of the data. Although management's preliminary comments on our report indicated 
that sites had used a risk-based approach to determine that sensitive data at rest did not need to 
be encrypted, sites did not provide documentation supporting accepted risks when requested. 
While not providing absolute assurance that sensitive data could not be exposed, NIST and 
other industry sources have reported that encryption of sensitive data at rest is an integral part 
of a strong cyber security strategy. Certain Department of Defense activities recently initiated 
plans to implement NIST recommendations by requiring that all sensitive data at rest be 
encrypted. 

While encryption of data at rest has a number of benefits, it also presents certain obstacles that 
should be considered. For instance, research has demonstrated that, in certain cases, 
encryption can cause a loss of functionality, slowed operation time, or decreased computer 
performance. In addition, implementing encryption technologies on data at rest may require a 
large investment in software and hardware, as well as the potential need for additional support 
costs. Furthermore, as stressed by certain program officials, encryption may not be useful 
where internal controls are weak or are circumvented by malicious attacks. 

SUGGESTIONS FOR IMPROVEMENT 

To help support a defense-in-depth strategy and decrease the risk of compromise to sensitive 
information, we suggest that the Administrator, National Nuclear Security Administration 
(NNSA), Under Secretary for Science, and Under Secretary of Energy, in coordination with the 
Department and NNSA Chief Information Officers: 

1. Employ a documented, risk-based decision process to identify situations in which 
encryption of sensitive data at rest is appropriate. 


Page 15 


Other Matters for Consideration 




Appendix 3 


PRIOR REPORTS 


Office of Inspector General Reports 

• Management Challenges at the DepartmenU&£)E/iQr6® 08, December 2008). 

The Office of Inspector General (OIG) identified six significant management challenges 
facing the Department of Energy (Department), including cyber security. The report 
noted that although the Department had made improvements in its unclassified cyber 
security program, we continued to identify deficiencies, including problems relevant to 
certification and accreditation of systems, contingency planning, systems inventory, and 
segregation of duties. 

• Security Over Personally Identifiable InfditShMhSnOWl, July 2007). The OIG 
determined that the Department had not identified all site-level systems containing 
personally identifiable information or evaluated the risks associated with maintaining 
such systems; remote access protection measures had not been fully deployed in 
accordance with Departmental direction; and, sites had not identified mobile computing 
devices containing personally identifiable information nor ensured that such information 
was encrypted. 

• Excessing of Computers Used for Unclassified Controlled Information at Lawrence 
Livermore National Labor<=(£a©p/IG-0759, March 2007). The Lawrence 

Livermore National Laboratory's (LLNL) policies, procedures, and internal controls 
regarding the excessing of unclassified computers were not always consistent with 
applicable Department policies. As a result, LLNL did not ensure that stored data was 
properly removed from embedded memory devices, computer hard drives were 
adequately sanitized, and the sanitization of memory devices was properly documented. 

• Alleged Loss or Theft of Personally Identifiable InformatiplNStlPeints^ 

Lebruary 2007). The Pantex Plant had significant internal control weaknesses in the 
management and retention of 1-9 forms. Three factors that contributed to Pantex's 
inability to locate 442 1-9 forms when requested were: the possible premature 
destruction of files, a misunderstanding of record retention requirements, and the 
possible failure of the management and operating contractor to verify employment 
eligibility for employees who transferred to Pantex from other sites. 

Government Accountability Office Reports 

Information Security: Federal Agency Efforts to Encrypt Sensitive Information Are 

Under Way, but Work RenffBkB- 08-525, June 2008). The Government 

Accountability Office (GAO) reported that 24 major Lederal agencies had implemented 

encryption and developed plans to implement encryption of sensitive information to 

varied extents. Prom July through September 2007, the major agencies collectively 

reported that they had not yet installed encryption technology to protect sensitive 

information on about 70 percent of their laptop computers and handheld devices. While 

all agencies had initiated efforts to deploy encryption technologies, none had 

documented comprehensive plans to guide encryption implementation activities such as 
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installing and configuring appropriate technologies in accordance with Federal 
guidelines, developing and documenting policies and procedures for managing 
encryption technologies, and training users. 
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Department of Energy 

National Nuclear Security Administration 
Washington,DC 20585 

June- 25, 2009 



MEMORAMMlMltK©: Ricky R, Hass 

Deputy Inspector Genenall 
for Audit Services 

FROM: n-Whael g. fcfflg " 'jXm - 1 \t j itW 

-wtrfeociatc A dm i ni strator J 

for Managementl arodl AViini niStratton i 

SUBJECT:: Comments (to; Btla 1 IG Dfilfl! Report on Sensitive Electronic 

Ifflfomlation, AMTCSOSBflKlSIM S No, 2008-02007 

The National! Nuclear Security Administration! i NNSA>appimiialcnthdioppqrtunitytoto 
provide cottitients. tftDtHelHEKs'apprtrt. "'Prorealion of rite Depal'ibme/l/s Sensitive 
ElectrOllielHtfomMimi', I understand that this audit! wassinitiatedittxridteninine svhitbidr. 
the DepaffitfflianttandlitSsoomMactara'.addqqatdyis^ffiguardiaiL'siessitivetelgdtroiniBiic 
information. 

NNSA has a ffliarnffeiv of concerns widii the:onrrentisttucttinee of this report. The term: 
"sensitwe alkttttHiiccinfi&rimatiionl'i'hhsts no formal definition amdi ttoea-'typBss of sensitive 
infomlatiom aca'discussedl in the report (Offfkiiall Use Only (DUO)),. Personally Mtentaffi'aMh: 
Information (PU) and: UnciitKSifiediConrroUtidiNNolearildhiKmation'lUiNIMJ)]. The 
protection reqtiuiemBlltKftineaiDhlityppe of information arise' feanidifferent)t legal authorities; 
and require'itfitMtetuitrns^tHat'cliiftcistgoifiuantlUy By combining these: ttypuss of information 
together, the TO report does mot appear to completely additesstomidtetiflywhbthhrDQlBl: 
and its CorttiraKtions are.anlecf 4 [at£L|'.ppDtectirig g.‘Sensitive elehtnuric in foitaiutnonj');i " 

Further contpleatingjmaltCirsr. the audit seems to liur«r hefin ,nerfdimediii@aMiist-t:eguJalor.yr \ 
requirementsreqpiningtprotfcotidjnii of Pliant mobile devices, hut; recommemdiat'jons 
coneemi pwttotioni of data ora sesvessandlworktetationis.' It would be easiun toiresolVeethtec 
1K0 eoneenwy if the recomimendhtions;am'rosdsediit(!>addrtess;thfepiroteuii®H'reqniremmtsus 
of each category, of information separately. 

Specific Comment^oniTlotitiDallAteas s in Report 

Encryption of Sensitive Data 

The tfQ report slates- that', the Department! and! NlKTl itlfcnttfiestiiill4(Jtkklenocypi|kBa'n as a 
best practice aaidigniesianitmftntlierrsMilttcV,'. .".we found that full-disk encryption! hadlanty, 
been deployed! oniappnaximateljyfiJJOOldpptpptoblitiveddoicQntainin PH at SNL even 
though s i te olflfkiul ss assumed it bias feaahh of the approximately IIZlfMKI litptopsainaintuinadil 

* 
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2 


by the site contained.sensitirtte information." As written; Ihis statement appears tdilake.. 
issue against Sandia.National Laboratories-(SNL) fdrr 001 impleffientlngwhat is 
considered a best-practice and riot a requirement.- AdditionallyLtKe.report does.not 

identify the number r of laptops Qui of the 12,000'cited were actually identified ni 
mobilie/portatil^.lusedltra'nsported.beyondthe perimdCTbfthc fdcillty) 1 .!tty) 

The third, paragraph i under Bus section goes-onto idetafflyithM: encryption was-not'' always 
used in fte transmissioQrofscatsitirte'infonnutioniVMitMiiiithB intemdL : a network vialomaiiil or 
when sent offsite on backup tapes and it goes on 10 quote SNL official!^ on the 
compenxati ngjcontnolsl sniplpfatcandrtHd IDA A\ A ssminr that he bellievedlthatl Ihe 
compenwitlrig-controlsl dwiidotol adequately, mitigateJlibmkk Thereprartldbcsmol’Cldariyly 
specify wHetblerithbc SNL official! was aidldbessingthbdsstMiiniwhdle'lc or purely ftaomtam 
intemall network perspective].'. Alsov DOE Manuall 471.3—11 allhwv-thb.tihramitmon'ii of 
Offieii.,.it Us\!'(Oh W'.itifonnatkin'il by unenaryptedleniaili I using ai wordlprocessingifilelthtitiai is 
protected! by. a ipasswordd. 

The fourth paragraph tallikabout the DOE Xthnoali 205.1-7requiring encryption■: on all 
portablbJmobilfctMwioes'StfitEingiSI5VHiri i.. .and OMB Memorandum 06)1 fy directing’thkt.o 
"In those instances-whferffpersonally! Sderitifi&ble!ihfonhalian!iis’transported'to <a remote, 
site, implement’ NIST S®81-5$3security, controls ensuring that t infonnationis -transported, 
only in encrypted fdmnrt' However, the IG report did! not; confirm ifPII! was contained !on 
the LLM. backup'tapes-that: were turned over to their archivejstdrage.subcontractors. 

NIST 800-53 docs mot’, specifically require 'the! use -. of encryptiomfOr isensiti Ve infonnatioh 
when transporteddo.and;dtareda .: at remote sites-. It allows approving authcnntifisctoiutiiBzfa . 
an organizational, assessment t of risk ter guidkthieaise. of encryption andlor physical. • 
security aontfolsimthis:instance.. DOE Manual 205.1-7restate.theseicontrolsiverbatim.:: 

Laptops. omBoreigniTilavelel 

The [G report states thutt laptop computers tdkkn'®n>fo|iergndfflaiveli cl by users a# LLNL warm 
not adkqpatbl'j^ppffitecteid'dgqinstisi cyber threat fcs 1 towevat.tHarepprt ddes-notot 
acknowlbd^ei.tllhticnc!,ryppontisi6(mtrolkkl: .1 or restrictadlihimamy\countrieB.. Some 
coutitttiftS'Hanj, or severdly reguliMythdimpiqiW),i'fexpX)|(>t)rt. or use of this teeftnoJIrgyv Taking; 
laptops. witHieweiyppbniso&fisireiL W these- eountfresscoulddiBtelmprjsonment'nt or laptop 
confiiseatlon). The IG report dbesinotiddmifyl y if the comtliBssvisitedifereKdsedstifihch 
restricfiionfc. The tKQ report shouldiddntifyl '. if the comntliessvisitfidifexerased'sLiehdhvhsu s. 

Privacy Bmpactt Assessments: - 

The IG report citte'DDHprocedmbesson pagesktfiath.. 1 . PIAs wereto he.conducteddn all 
systems thm'oont.’.in . or administer:infonnation in idemiffiaMh'romrabout its employees;. . 
contractors; or members: of the public. However.. N MSA has no legal authority to' conduct: c: 
PI As oncomtaetOr systems'storing information about contractors. The IKQ report does- not 

identify if the systems-cited. were contractor.systemsxslleeting contractor inronnation.. . 
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The' IG audit toagamJitljyTOOSiiS. prior to tfcit&uiaicec of the DOE <J&dkjaadi.lvasifi£i8hri(td 
during April I 2009. The IG fEcpOrt fails Mi identify i l ithe 14 systems, dtudlweraiddefdra a 
PIA as tfe [Hi 11 «rcs reqq i ruP IA s\ s 10 be corafrth.tuttldiuriiiiig.ddvekipTnctUni or Certifikatiomaaidi 
Accreditation). 

Althoughi one section of the polky stuttsss.it will be the policy. oflHSDE to conduct 
PI As «i al I Is^ystomsHkaifflOHlai n or adminislat infbmilationn in identifiaibib-fOrmiabbutit it 
employees. the sectloniali4weistslteis.'thdireqaiiementsidiffbMntLy]tly. The manual 
collection! of PJI does not require PllAV- The E-Cow Adwild yosjupirm.- s PI.'As for elecflnsnia: 
systems. According:ttottiaeFftvsayy\Act. its requiiiiementS.'app^^ppeifiifall^ltolreeordHds 
under the: unnt toll of alt agency ttoatihoMy-PIFlIl about US citizemtrandUkwfUiippmuJQcntit 
residcncs andlOOfl ddos rirat extendiPrHiafiyAcfVcitiriimmejim.tUcwaii.'Riiiicigiii'Naticihal.SL'nal.s. 
Additionally. the Ce«flatatjrrIitqqimmmiStDhhiaffltmciOCRtHD) in the Ordkirwassissuedd in 
Januiaaty TOOWanriipimirdek'spqcific' contmutoir 1 requi<pmants.' nts. 

As the CRH)> niqtititM e -e o nt rite to'nsi s at a m i ftiittmum i tti 'oomnpiW with Mud 1 Pii Vac yoVcric t, and take 
appr<)pYiutb.'awic>iw t(iaish t istsfDO0E in complying: wi thitSScti tini2(2&) S of the E-dovcmraicotu 
Act of200K. and CMfikte of ManagewtentiantLlBM^et(0(N>lB)liirbcticU3s,es. the report! didinoti 
mention! if the system (Mwi ewed. Wra Fddaiuls^stemsn i s or contractor ^ttonmsswkthli 
contracTtoifownediitiidmiitliMdjDii or infoimaMKfiitttattissccdiBctBddnidithaintaiiinBddidirl'theihc 
Federal (Sovemtmantu The DOE noquircemeutti weita qTqrafid as as it applies to Federal 
systems butt uti I css those: roqpireninntst aaroibluttedcd in the eRD they aianottimpoisaddinn 
the comtratntar 

cc: Karen Biouitlinamu. Director. SgnwceeCEeeltfer 
David Boyd: Sertrioii PRrantflarrai Ejiccutivbve 
Linda WiHunlfcs. Chief lnfonnatiomOlffierr 
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Department off Biiergy, 


WashimgIQn, DC 205® 


June 30, 2009 


MEMORANDUM FOR RICKEY R. HASS 


DEPUTY INSPECTOR GENERAL 
OFFICE Or AUDIT SERVICES 
OffiGE OF THE INSPECTOR GENERAli 


FRO;X'H: 



SUBJECT: 


Dmfl In sp;c tortGcncml Report on -Protlactioni of the Department's-: 
Scnsith,.c Bkuttnnib I h tomtit ion." IG-34 (A08TG063) 


The Office of Ihe Chief Irofonmltian OFfmcmCOfCIO) appnrcuit&s. thti .oppcptuiiiitpi t y to provide 
comments ore bull id Iff of the DepairintmtumHjdBflacr oflni+tspecto GenerailsMhy. 19. 20'09..drnft 
report on protection of the Depaarturentls sensitive clcbtroniciiiifniiritation. >n The Department: 
recogni7uestthe importance of providing adiequatB-prohaitibin of sensitiya'elk««nicdrifOrmatio®i',v 
and we appreciate' the Inspector General? ssatteottonn to this irnportant: concern n 

The DCCptatimmlt'-s Chief Financial! Offieer fas-reqpestedlthafii the OCMJ respondt to the 
rccommendmioms of this draft. I:\qrom .conRohlddtin g ghc Ubpartm ant is icGromnntv frourthc viariousious 
Departmental Program ofiffcasi. including c'fjmrwuntk-ftomithttTSMtk of Science,.tfefflfltee of 
Civilian R: 1 d i o act ii v e W axto. M an ng,:arrantt. Environmental Management:,imdNhc War, Hher.gy:;. 

Comments tdkac mMiessdha specific recomililendiltiionK - of the dmfl report are inalUdfdlbblAwt 
while technical comments on thedmflt report arc mdhdbd: in the allachmcnti to this 
memorandum. 

RGOOIBWlElHIaltod 

EmilWahdJJ iWto/7/vc ill!GfM/<(l(i/llblllJlobi.lfc' dhViefc.IJrRIfJ/lIrHed' /Isiog electronic IJWit.hrserif to 
offiite baokups/m'mji is adi'.'lf/wldl'profedecflfnraWKnd/f'fyplioH 

We partially concunr widiuhis, recommondmitinn. If adequme steps: arc-taklenitdicensu lire thm there 
is ftO sensitive ififotrunationi on liliiaptop^ or on alt the Itiptops or other mobilh:cy®ittess at a site, tiMs; 
determination staniUdisufficecwithbutiraquiiiringienaryptiomn of all dat:l on such afcwwfis> life 
should help to balance risk agilihstihb costand'.piprlutui-Vih)i:\ loss assoej atodjwiUll unnoaeoury v, 
use of encryption where its; fee is nol indicated, iHdudlmg;ffl£ussx.<M:Lhacnahv:e,c. mitigating 
controls as appropriate: We will ensure tMlllKis-. Kppic is addressed! ad 1 aq ualGK)' in future 
Department-level cyfter. seauxitydireCliom,.. ttilkmiciitto account 0JM1S and other asternal: I 
gownlmcllf-wiidkcdiiBctioiiithhtii is in place iii lhal iimo:. 
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RecomromimlAtiitiQn 2 

Ensure that! serniUimtii^JbrimioatmamtatimiidiomoMtdkomp/iifiiSgn^vk^kkdcisJmforefgneign 
travel is adeqllQhfy/protected and lhat Sindh devices are physkttilfyaUtdlltffiiaUdvmfmtiidqkfiiiior 
to re-coimeetikm IS government imtwfnkks. 

We believe that tfhetlype of protection gnawi dbril ffatninbliHceaipflMg)ged4aastaMakon twrfQTflign 
travel itonuJliitedbttOTiiiiettcbb^JiitlairtskiaM^sis. Ifin© sensith®iirflama«iiaQiisi®ffiBh^idd<ig«:c, 
protection sudhtasseturryfiibon is probably mail ntteKffl^r.y. When sffldheBdfewaedssaKtjnmtdjtQ a 
govenunmttsstfcAweiggfetliAiai it is a gonsdi idkta nolhgitaJty>S8flflnlih el #asi?ei tfctih be toff forc it is 
connected t» a government!iiKiivojrkk or when it is connetted,lisffsree it is giwaniStlU access to#® 
network, tafcdkasHxnn as to whelhifiTttOctiosSftfelMltkhbeldteWmtaHittiybN'idffllcnkltiakcflpfll^sis. 

We will ensure thatlHiis topic is aMHJSBddiddqquBlbly in future Blqpurttnamthlete&ledyhfirer 
security 4iKmiior s .ttiliingj mtrtmacaunr.t OM8 and other ®Qtennull^wmimBBBtvW&ldiibi{ktocth£tiiat 
is in place at that ttiimte. 

Rccommnwmldtitipun 3 

Verify Ihal Jknmllnitjidintoon computing dfa\iiQ£SiisiitfotittfklA»Mdt(ldqqutltf«l)tipnr0fceded by 
performdmg mndSmiaHeMs 


While this migiiti be helpful, providing "tminS' iiptMeeuoonceojiskiarititon ©f the need tw> ipirtfomi 
random chedkai^mdldbbcbbaeddtDdickHlal risk analysis tflhat ttrtk&sii»toiCC<5twwntithfi)G08tidnd 
possible lc^pnfdiujtlwtjytlihnt may resaih. The DejMwnmintc'qgpeeiamsiHitaththfiilpepHfltor 
General, in its audits and e-ualUatiomssenqiiily^ sandnioiBedesfeteiBotiaechHibnt^itostdieMlffliesiies 
and systemscoutswesv,'. helping to seiwireetblaatiddqquatippnatadtiioh, is in place., aanststenttwitlbh 
applicable piditoy 

RecoimnBndititMrt 4 

Complete resfiumullWMsatn dftiJfiiimfhal cOm/ain privacy ittfamtmUitm. 

We concur ®itth ttli isrEeramraediiatkin 
Attachment! 
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Attadhjnunt: tiniiweniriiiraiddittrlrtSro iflhlihtiBiUti N Pyke, Jit. 10 Rickey R. Hass sMnuBmingyJdi&ft 
Inspector GareredI Report on "•Rnaantiomn of the DepIlrtimmltsdSSttnsirtLvfcl&lucSrunic 
Informallioml'’ IG-34 ((AffiSflQMS?) 

Please csonatibiTtlfeese teelihtueMcomMmtBoHrtlilMSldaftftappMrt. 

In the PeftlsanmaraecVklo rtiirintr.gcfiCKtuo thd hirtirst paragraph stisMss ”n<s®£ of the sites rcwtewdd 
had intatiittttdsstititi;ppsc««sl At least one EnviroitHtnemUll Mansg^raBnfciiktfriiliidkatfctliikat 
they perffomm (till IdIbkkiecKyptprtfon of all laptops, amiUHifty do not feel il is ato ireoamijyMo 
check tlhB^llqpttfp^cfossjisisiitts'Bifoiiaimiarion. It is not diaarwhbdibctH&feptport is suggesting! 
that laptops fee panibtilibiaill^N chosftadi to cnsutfe thatllfepy are actually smayjptdd, to ensure tihm 
the encry pii tin i ssrt'ftaa tothtetl'ii two re; working as intantedded, or to ttetomiinnahhiat file/foldtor 
encrypdiijSMt. if used, is tangiu,@dicotwcHVl.\'. We areesatKBnr^tthnbctei^iiptaiprpi^otite he in 
place, based onirislkassdteeiinirieii&bjdl^JyindinliniiniahgiailvatfecehsgiictptielfeKiivdative to cost arndi 
produksaiiwitKy 

In the ImfaiimKtloniSiicurity and':AsSuranoecsr<3iotipn. incident statistics are citetf-d as evldetm!; of a 
growing 1 [pidbbmirctiQKisaddidathrlejhitlwptoglqihpmpimtliM (theft or loss, ismril lttffluramffliktn. or 
unauthoriafiiiiuss,'. Citinigiinuidkict reporting; diatBttw«H3iinhhisvs«ay cam he misleading;.siinree 
increased! aKW;ftv\i8Conssstkittuiflgiigpon«>irt!iBa|iatt)inroii(i<:iiiridarid dcpfe^mwami of improved) 
monitenwjglOiitidtelecitiore'syatflms Cite contriiltstuteUciittMaMHingiinuhitters of re points. As a result; 
of these farters. this may not taacduHUyxba grgsom jigtnpteldKi^m, as is stated irntlterppari Also, 
multiple pmrainniaffifiesSiiKB natedetfiahm the: hecsttabpatfgu^gra ph of this startiimitUecedssnn 
inference tflhnt Ildikct'Wdtioala I LaborateiyflilMi)) lostlHre Peraond llyliklctifi titodbl fei in torarioti on 
(PIlj of 59,0tW(anpthn'css This-[par^gnfphiSboUlcfetaatM'Dtclesi th;ttItwitfuittaat)dnirtfMi)©OE 
orgamiKatininwassreeppDsiljlblfDfaTrdnTOlwEld'MilIMsInspnspcsure of PII, not INL. 

We are alia® ca mute ratddi b btrtuA pgmcfed & 2 of the dralfc iKjptrn. Other Maitfflissff»rtrdoHsldcjiadii).n. 
The ttaitfl irr|pirrtpp<inttis>ot.it that none of the sites ®«d haatddi hddinplpiucmtatldtilfiililsdisk 
enciyptfiiroinH ot data at resk.sxosppt for mofeiilkdhvicBss, nor hadlttlKstttfspprertluifdaitiCTcnUrtlotion 
supp«wtiiiig;tttKaacep(Hdd-iBisl£oftprqiieMeballgltyisirisuidstalntabeirigoengr^lpte-#ptcd at rest. 

il appear* ilhaUtheFE-dderbl Govemrnnnmthhsairaridmaiip-fieke.1 l- 1, risk-fcawitUdieciKiortlthat 
encryptionitsimpyxi'nant for laptt^anddrcfirooalaldtnBtbdiiiiaheontaiimuensdimsitiiifiamftarimEtion. 
This it.alkatrim OMB dirmituiiaanld NIST SP 800-11111 ’s referanmettaterntlbirdction. But there 
doesffltsBapgteartlicbbrssctela hddeilafal Oovermmuiittvvuikld’iildcisieidii" or reoawimurnlaanortKilal 
sensitive dktin on desktops or servos sthndlldbbo:nncYpjEl±.d There; issipaskihlwataryeseintsus 
pcrformamae. produ^ity, aMd±os«sissitoa'asaeKMiEdc»Jithicbnsid6r£fcioMion of this tropic of 
encryption,audithbtrinkkvouidl tUttue he iwcnjehjghigh to ovemomtehktestrcnxrioiBrns. Withnuomr 
current DOE cyber securittj imura^mBnnstttiototuretateJher DOE nor any of the pesp owners 
have ehetetittPrtffltffliMBndd or rcquiiirs-anmstkkatiiMtn of encryption of scmativcc data on dfcdktopss 
or servers. Of course;, eadh DAA, in canyiing>autt his or her C&A duties, adidbEssssstlteerjskk 
assodaltediwitHieaahltysIsanBmlilheiriathua on that system.andfcouldcilteasBstotwqotfmttdshis 
unusually aggressive-typpc of contrail iflhr or she feltiltoi be necet*oyy to reduce tlitemMjlilail 
risk assodattailwiililBisyytstKK'n to:mm accepflalHli-fliv«Jl,;ilie»takkig jnLoiat-'uouotipeip’orfemaancc, 
produdSiwitgi:. andJcoeK t. 
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CUSTOMER RESPONSE FORM 


The Office of Inspector General has a continuing interest in improving the usefulness of 
its products. We wish to make our reports as responsive as possible to our customers' 
requirements, and, therefore, ask that you consider sharing your thoughts with us. On the 
back of this form, you may suggest improvements to enhance the effectiveness of future 
reports. Please include answers to the following questions if they are applicable to you: 

1. What additional background information about the selection, scheduling, scope, or 
procedures of the inspection would have been helpful to the reader in understanding 
this report? 

2. What additional information related to findings and recommendations could have 
been included in the report to assist management in implementing corrective actions? 

3. What format, stylistic, or organizational changes might have made this report's 
overall message more clear to the reader? 

4. What additional actions could the Office of Inspector General have taken on the 
issues discussed in this report which would have been helpful? 

5. Please include your name and telephone number so that we may contact you should 
we have any questions about your comments. 


Name _ Date _ 

Telephone _ Organization 


When you have completed this form, you may telefax it to the Office of Inspector 
General at (202) 586-0948, or you may mail it to: 

Office of Inspector General (IG-1) 

Department of Energy 
Washington, DC 20585 

ATTN: Customer Relations 


If you wish to discuss this report or your comments with a staff member of the Office of 
Inspector General, please contact Judy Garland-Smith (202) 586-7828. 
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The Office of Inspector General wants to make the distribution of its reports as customer friendly 
and cost effective as possible. Therefore, this report will be available electronically through the 

Internet at the following address: 

U.S. Department of Energy Office of Inspector General Home Page 
http: //www. i g. energy, gov 


Your comments would be appreciated and can be provided on the Customer Response Form. 



